Fall 2018
Cybersecurity survey

Report | sponsored by

Key findingsCanadians are confident but there are cybersecurity risks

40 per cent of respondents experienced a cyber-attack in the last
12 months. Among large businesses, 250-499 employees, this number increases
to 66 per cent. Overall, one in ten experienced 20 or more attacks.

67 per cent of respondents outsource at least part of the
cybersecurity footprint to external vendors.

One-third of respondents indicated that the most significant
impact of a cyber-attack is the time and resources required to
respond to the incident.

88 per cent of respondents were concerned with the prospect of
future cyber-attacks, which resulted in 28 per cent suggesting
they would add cybersecurity staff in the next year.

Although 78 per cent were confident in their level of cyber-threat preparedness, 37 per cent didn't have anti-malware
protection installed and a shocking 71 per cent did not have a
formal patching policy – exposing these organizations to massive
security holes.

Only 54 per cent of small businesses provide cybersecurity
training for their employees even though the most common form of
malware seen by our respondents, phishing attacks (42 per cent),
directly exploit employees as a point of weakness.

While 59 per cent of respondents said they stored personal
information from customers, only 38 per cent said they were
familiar with PIPEDA.

IntroductionCanadian cybersecurity, Canadian report

Cybersecurity data is more plentiful than ever. Whether this is
because more organizations are supplying it or whether more hackers
are creating it is up for debate. Regardless of who or why the data
is being published, the conclusion is stark: cyber crime is rising
and shows no sign of slowing down.

According to the
Trustwave Global Security Report
the global cost of cybercrime was estimated to be $600 billion
USD in 2017. This included the cost to protect organizations and the
global internet from the massive upswing in DDoS attacks, the blight
of ransomware, (or the new bad guy on the block) bitcoin mining malware.
The problem is big and it is global.

Where does Canada fit in all this?

Most of the big cybersecurity research focuses on global organizations,
while locally the big security spending is in our larger organizations.
However, according to Statistics Canada,
about half of Canada’s 16 million workers are in smaller businesses
with up to 499 employees. With the help of our partners at Akamai,
CIRA set out to understand how the global threats impact these businesses
in Canada, how worried they are, and how they are responding to it.

For this research, we looked at organizations with up to 500 employees.
That said, we do understand that in the Canadian context
an organization with more than 250 employees is actually pretty large.
Importantly, these companies also serve, supply and partner with
individuals and larger organizations. They may not have the resources
to deploy complex security stacks and this makes them easier targets. As we
saw way back in 2014 with the attack on Target that leveraged the HVAC
system to get millions of credit card numbers, any sized business can
be a conduit into hacking a larger one.

And why do hackers want the information that you are in control of?
Simply put, personal data is valuable. Personal information is
being sold on the dark web
for as little as $5 for a credit card number, $30 for an entire
identity, or up to $1,000 for medical records. Do you still trust those
older computers with the open USB ports that sit unattended in the
little waiting rooms at your doctor’s office? There are hundreds of
examples of low hanging fruit for hackers in everyday interactions
Canadians have with small businesses every day. All these situations
are potential breaches and many businesses don’t even know the risks.

Our goal with this survey is to provide insight into the Canadian
cybersecurity landscape and understand just how Canadian businesses
are preparing and coping with the new IT security reality.

A key element of building a better online Canada is ensuring
Canadians have safe, secure internet access. Through our
experience in managing the .CA domain for Canadians, we hope to
help lend our expertise in safeguarding Canada’s internet so that
Canadian businesses can thrive online.

Byron Hollandpresident and CEO, CIRA

Methodology

CIRA contracted the research firm, The Strategic Council, to interview
500 individuals with responsibility over IT security decisions.
The sample included both business owners and employees who manage
information technology. All the respondents had budgetary authority
over cybersecurity decisions.

In our sample, 92 per cent indicated that they were at least somewhat
familiar with the organizations computer and IT functions while 8 per
cent held budgetary control but were less familiar with the systems
in place.

Respondents all have responsibility for IT decisions

Among those surveyed, 58 per cent were employees while 42 per cent
identified as self-employed or owners of businesses that employ others.
For-profit businesses represented 92 per cent of the sample, while
8 per cent were non-profit organizations.

Finally, among those employed inside an organization and responsible
for IT decisions, there was a relatively even distribution of the
organizations sizes, from those with only 10-19 employees (18 per cent)
to those with 250-499 employees (17 per cent). In short, this survey
presents a wide range of viewpoints that allows us to draw some interesting
conclusions about the cybersecurity landscape in Canada.

General IT areas included within job

General IT areas included within job

49%System administration

41%Cybersecurity

40%Desktop IT

39%Networking

30%Other technical

40%Non-technical decision making

Familiarity with organizations's computer systems / IT functions

Familiarity with organizations's computer systems / IT functions

92%Total Familiar

44%Very familiar

48%Somewhat familiar

8%Total NOT Familiar (but budget holders)

About the organizations

While our survey included a variety of businesses, the majority had
been in operation for quite some time with 52 per cent indicating
they have been in business for more than 20 years. While Canada is
known as a country of exporters, 67 per cent of businesses in our sample indicated
they do business in Canada only.

The top sectors represented in our sample were services,
manufacturing, finance, retail and construction.

Cyber-threat Exposure and ReadinessA growth for IT employment

While cybersecurity is no longer a mystery to most Canadian
organizations, we wanted to know more about how businesses are
preparing to meet these threats and gauge their level of exposure.
We asked generally about the kinds of digital tools and platforms
that organizations are using to provide insight into the level of
sophistication of their IT infrastructure and also to see where data
might be at risk.

Unsurprisingly, use of internet-connected devices topped the list at 61 per cent,
while cloud computing and storage platforms were present in 57 per cent
of respondents. While Canadians are often stereotyped as hewers of wood
and diggers of dirt (i.e. forestry and mining), it was fascinating to
learn that fully 30 per cent of respondents deploy an e-commerce platform
in their business – meaning they likely collect and store some personal data.

30% of organizations deploy an e-commerce platform

Reliance on vendors

Cybersecurity expertise is in high demand, and the industry moves
quickly. A recent report by Deloitte indicated that
5,000 cybersecurity jobs will need to be filled
in Canada between 2018 and 2021. The same report also uncovered
a global workforce gap of 1.8 million cybersecurity experts. This
creates a significant amount of competition for good people, and leads
to many organizations outsourcing their cybersecurity needs. Among our
sample, 34 per cent mostly relied on vendors, 33 per cent felt they
had an equal mix of insourced and outsourced resources, while 27 per cent reported
internal resources only. This underscores the importance of understanding
the security footprint of your managed service provider and ensuring
they have a complete suite of cybersecurity solutions.

How do you resource your cybersecurity?

How do you resource your cybersecurity

34%External suppliers/vendors - all or mostly outsourced

27%Internal resources - all or mostly insourced

33%Both equally

3%Neither - no resources devoted to cybersecurity

3%Don't know

How many IT resources were primarily responsible for cybersecurity?

To get a better understanding of how committed organizations were
to cybersecurity, we first asked how many people worked in information
technology, and subsequently, how many have cybersecurity as their
primary responsibility.

While the report focuses on organiations with more than 10 employees,
we did note that among businesses with up to 10 employees, 41 per cent have no
internal resources for IT. When you look at responses from IT employees in
larger organizations we see that the most common response was for having
two to five people responsible for IT.

Number of employees with primary responsibility over IT

Number of employees with primary responsibility over IT

24%None

18%1

33%2 to 5

10%6 to 10

7%11 to 20

2%21 to 29

3%30 to 50

1%More than 50

3Don't know

When we focused in on cybersecurity, the numbers suggest somewhere
between 25-50 per cent of IT staff are assigned responsibility for
cybersecurity.

The weighted average number of IT staff as reported by IT employee respondents
was seven while the weighted average number of those responsible for
cybersecurity was four. This suggests that more than 50 per cent of
technical resources have at least some responsibility for cybersecurity.
This demonstrates just how much time, effort and resources are now
being diverted to fighting off bad guys rather than delivering value
to customers.

Number of employees who have a primary job responsibility for cybersecurity

Number of employees who have a primary job responsibility for cybersecurity

34%None

26%1

27%2 to 5

8%6 to 10

4%11 to 20

1%21 to 29

1%30 to 50

1%More than 50

2%Don't know

Canadian companies are coping with cyber-threats by outsourcing a lot of work

As Canadian small and medium-sized businesses struggle to cope with the onslaught of cybersecurity threats, many are turning to external experts for help. Fully 51 per cent of respondents reported outsourcing to cybersecurity consultants or contractors. Interestingly, organizations with internal IT teams indicate that they are more likely to be outsourcing cybersecurity services than owners of smaller businesses (62 per cent vs 45 per cent). This highlights a significant vulnerability; smaller Canadian businesses often lack the resources to outsource their cybersecurity needs, but also face a lack of support in-house. It may also reflect the desire of larger IT teams to keep their internal resources focused on their users and outsourcing cybersecurity to experts.

Most concerning was the fact that 27 per cent of respondents said they lacked the resources to employ a cybersecurity professional, while 23 per cent didn’t employ a resource as they deemed the risk too low. Of course, as we know, businesses of all sizes and types are now at risk of a cyber attack. There are no longer businesses that are “too small” to be a target. In fact, it is often these smaller businesses that provide hackers with a way into the larger ones.

Canadian businesses are not islands; they are connected as vendors,
suppliers, contractors and customers. We must do everything we
can to ensure even the smallest businesses have the resources
they need to protect themselves and the Canadian SME ecosystem.

Dave Chiswellvice president of product, CIRA

Main reasons for having no employees primarily responsible for cybersecurity

Main resons for having no employees primarily responsible for cybersecurity

51%We use external consultants

27%We don't have the resources to employ a cybersecurity professional

24%All employees are responsible to a degree

23%Cybersecurity is not a high enough risk to this organization

4%We have cyber liability insurance

1%We are currently in the process of recruiting a cybersecurity professional

0%We can't find an adequate cybersecurity professional

2%Other

5%Don't know

For organizations that use external providers, respondents estimated
that they are spending on average 19 per cent of their budget on
cybersecurity.

Percentage of overall IT budget devoted to external cybersecurity service providers

Percentage of overall IT budget devoted to external cybersecurity service providers

14%Less than 5%

12%5 to 9%

40%10 to 14%

4%15 to 19%

8%20 to 24%

4%25 to 29%

8%20 to 49%

10%50% or more

26%Don't know

Similarly, we found that 48 per cent of respondents outsourced at
least some of their network infrastructure or other IT related needs.
This makes sense as many organizations lack the expertise to run today’s
complex IT stacks.

However, it is important to note that outsourcing labour does not
offload cybersecurity responsibility to someone else. Managers should
be asking smart questions of their suppliers that go beyond the
functions of the software and hardware to understand how seriously
they treat cybersecurity.

Businesses confidence in their cybersecurity investment

Overall, the Canadians SMEs we surveyed are a pretty confident group; 78 per cent feel somewhat or very confident in the resources they have
devoted to cybersecurity. This doesn’t mean we surveyed a bunch of
IT managers with their heads in the proverbial snow, but rather they
feel they have done their best to balance risk vs. investment. A smart
IT manager knows that the only way to be 100 per cent cyber-secure
is to unplug everything.

How confident are you with your cybersecurity stance?

How confident are you with your cybersecurity stance

22%Very confident

56%Somewhat confident

16%Not very confident

3%Not confident at all

< 1%Prefer not to answer

7%Don't know

66 per cent felt they had,
“about the right number” of employees
responsible for cybersecurity. Conversely, 24 per cent felt they had
too few, which tells us that some of those confident managers from the
previous question may not be as confident as they’d like to be. To use
a sports analogy, no matter
how much you trust your team, you wouldn’t want to take the ice with
one less player than your opponent.

Perception of the number of employees responsible for cybersecurity

Perception of the number of employees responsible for cybersecurity

2%Too many

66%About the right number

24%Too few

2%Prefer not to answer

7%Don't know

Cybersecurity training for non-technical employees

Every IT manager knows that their department is rarely the
weakest link in their cybersecurity footprint—it’s all the other
departments that are the problem (sorry marketing).

Phishing and social engineering attacks look for weaknesses throughout
an organization, not just the technical systems. This makes training and
awareness critical for protecting your network. Among our respondents,
only 53 per cent offer cybersecurity training to at least some employees.
However, when we peel back the layers, the problem is even more acute.
When you look at organizations with formal IT teams, 65 per cent offer
cybersecurity training while sole proprietors businesses only offered
training 35 per cent of the time. Additionally, when you compare
organizational size there is a huge difference in who is able to
provide broad training programs. Among organizations with 250-499
employees, 82 per cent offered training while only 54 per cent of
those with 10-49 employees did the same.

Organizations that provide at least some cybersecurity training by size

Organizations that provide at least some cybersecurity training by size

54%10 to 49

69%50 to 249

82%250 to 499

Logically, these numbers make sense as larger organizations have
larger IT departments to deliver training, bigger budgets, and more
employees who are potential breach points.
Additionally, in larger organizations, the IT staff likely interact
less frequently and personally with their users so more formal
processes are necessary.

However, it is difficult to see this lack of training among smaller
businesses as anything less than a significant risk to Canada’s economy.
No matter how small the organization, or what their business entails,
Canadian businesses interact with each other. That small supplier who
services your photocopier could be the very window into which a hacker
will look to climb.

Training and awareness are critical to ensuring your business is
cyber-secure. No matter how great your IT team is, anyone with a
network-connected device can be the weak point that brings your
business down.

Jacques LatourCSO, CIRA

Cyber-attack Reality
Is the glass half full?

Having spent the first half of this report on issues such as exposure,
readiness, and satisfaction with existing security, now it’s time to
get real—impact. How are Canadian SMEs being impacted by cyber-threats,
what are the costs, and how are they coping? For this portion of the
analysis, we will focus more on IT managers within organizations rather
than on owners of smaller organizations because the latter have more
formal protections, measurement tools, and policies in place.

Of the respondents, four in 10 are aware that they have experienced
cyber-attacks in the last 12 months. What was particularly striking
is how this response differs between IT professionals and budget
holding business owners. When business owners with budget control
over IT security were asked the same question, almost seven in 10 said
they had not experienced an attack. It seems likely, though we can’t
prove it with certainty, that many of these business owners are
experiencing breaches that they are unaware of. Given often the
automated nature of many of today’s cyber-attacks, it often requires
a trained eye to even know you have been a target. And finally, we
are actually surprised that the number is not 100% and believe that
respondents only considered it an attack if there was at least some
noticible result.

As organizations increase in size so does the awareness of
cyber-attacks with fully 66 per cent of those with 250-499 employees
indicating that they had been a victim. Are larger organizations
experiencing more attacks because they are bigger targets or because
they have more sophisticated systems to detect a breach?

Incidence of experiencing cyber-attacks in the last 12 months - IT managers answers

Perception of the number of employees responsible for cybersecurity

14%Yes, successful attacks

36%Yes, unsucessful attempts

40%No

5%Prefer not to answer

6%Don't know

Incidence of experiencing cyber-attacks in the last 12 months - Business Owner Answers

Incidence of experiencing cyber-attacks in the last 12 months - Business Owner Answers

6%Yes, successful attacks

18%Yes, unsucessful attempts

67%No

4%Prefer not to answer

7%Don't know

YES, we have experienced a cyber attack - IT Managers Answers based on size of organization

YES, we have experienced a cyber attack - IT Managers Answers based on size of organization

42%10 - 49 employees

50%50 - 249 employees

66%250 - 499 employees

Of those organizations that experienced an attack, most report fewer
than five in a year. Again, when you talk to IT managers they report
a significantly higher number of attacks on average. 7% of IT managers
reported 50 or more attacks.

7% of IT managers reported 50 or more attacks per year

A snapshot on Canadian internet traffic to malware sites

From a security standpoint, CIRA lives in the DNS world full time.
In addition to keeping the top-level DNS of over 2.8 million .CA
domains running we also deliver a secondary DNS service and cloud
DNS firewall service.

The cloud firewall service is a malware and phishing blocking service
named D-Zone DNS Firewall. When a user tries to click on a malware-infected
link or an infected device attempts to reach its command and control
server through the DNS, the communication is refused. The refusal happens
in the cloud and a message sent to the user via a block page alert in
the browser.

This block is logged against the threat category for over 600,000
Canadian users to give an unprecedented view of the Canadian landscape.
Our user-base in includes businesses, but we do have a heavy weighting
of users in the public sector at municipalities, universities, school
boards and hospitals. These types of organizations tend to run different
networks (in terms of public and private network profiles) than commercial
companies, but the lessons are the similar.

In addition to threat blocking we see organizations using the DNS for
content filtering. The types of content being filtered varies a lot across
organizations in Canada and even within individual sectors. For example,
different school boards have very different policies for what types of
content they are blocking for K-12 students. For the purposes of this report,
this is an interesting observation. We will delve further into this observation in a future
analysis.

How often user devices attempt to access phishing and malware-infected URLs

We looked at all infected page and phishing page blocks in the month
of August 2018. This excludes significant botnet activity to focus on
the users that IT people need to
deal with and includes malware applications inside the organization
network that uses HTTP traffic. In either case, user or machine generated,
this is highly undesirable traffic.

Across our the network in Canada we say that average number of phishing
blocks per user in Canada in a month equaled 3.1 blocks to infected
pages per month per user and 0.6 blocks to phishing
pages per month per user. (Number of users is
estimated based on number of network users provided by the organizations
using the D-Zone DNS Firewall and includes estimates for public networks
they have deployed.)

Remember that these organizations deploy other forms of cybersecurity
in addition to the DNS layer but the data we see suggest the benefits
of a DNS layer and the type of problems that IT managers can stop from
getting into their network by using a DNS firewall.

At this time we can’t point to any significant trends up or down in
Canada in terms of overall threat profile changes but we continue to
monitor it and look forward to some DNS-science based reports in the
future (so make sure you register for updates!)

Sign up for cybersecurity news – made in Canada

Email address *

Leave this field blank

Most common attacks seen by Canadian SMEs

The variety of cyber threats in the wild these days is enough to
confuse a Pokemon fan—some even have logos and support teams now—so
what should we be on the lookout for?

Among those identified in our survey, phishing and viruses were the
top two reported attack types with about four in 10 reporting each
attack type. Trojans and spyware were the next two most reported at
32 per cent and 30 per cent respectively. Rounding out the top five
was ransomware with 27 per cent reporting having experienced this
attack (successful or unsuccessful).

It is worth recognizing that for those who don’t work full time in
cybersecurity, familiarity with all the forms of malware (and their
differences) is not likely to be high. Therefore, while this data points
to a trend, precision is not likely high for the business owner respondents.

When asked to rank the types of attacks that could do the most damage,
the top five is identical but in a slightly different order.

Types of malware that could have the greatest negative impact

Types of Malware that could have the greatest negative impact

43%Virus

36%Ransomware

34%Trojan

29%Spyware

32%Phishing/Spear phishing

25%Worm

16%Backdoor

16%Keylogger

16%Unwanted applications

12%Adware

11%Bots or botnets

10%Cyber-currency miner

1%Other

3%Prefer not to answer

16%Don't know

A set of simple definitions for common malware types

Adware

Displays ads on your computer. Often installed along with free
tools installed by undesirable sources.

Spyware

Tracks internet activities.

Virus

Contagious program or code that attaches itself to another
piece of software, and then reproduces itself on the PC, network
or to other computers via file transfers.

Worm

Self-replicating threat that destroys data and files on the computer.

Trojan

Trojans seek to discover information, like financial details.
They can bring in other malicious code. Also used to take over
resources to launch attacks against other devices.

Rootkit

Typically permits other information gathering malware in via
back door.

Backdoors

Open a link onto a computer, providing a network connection for
hackers or other malware.

Keyloggers

Records everything you type on your PC.

Ransomware

Locks out of computer or data on drives until user pays,
generally via cyber-currency, to get a key. Even once you pay,
you may never get a working key.

Browser hijacker

Redirects normal search activity to give results the hacker want
you to see. Its intention is to make money off your web surfing.
This can be as simple as sending ad-based content to being used
to phish for your banking, or other, data.

Impact of cyber attacks

There comes a time in the evolution of any phenomenon when the thing
that was once remarkable is now just a part of everyday life. At CIRA
we are still coping with the idea that the word internet is no longer capitalized,
and for Canadian SMEs cybercrime is now just another cost of doing business.

Much like putting a lock on your doors or hiring a security guard,
cybersecurity should now be just another line item in the budget of
any Canadian business. This makes the need for reasonably priced
cybersecurity solutions even more acute, and highlights the value of
having layers of protection to reduce the risk of a breach.

While ransoms paid to cyber thieves to retrieve lost data often make
great headlines, one third of respondents indicated that the primary
cost of cyber-attack is the additional time required by employees to
respond to the incident. One in four indicated it prevented the use
of needed resources and/or prevented employees from completing day-to-day
work. On the positive side, relatively few indicated a loss of revenue
or customers (6 per cent each).

Ways in which organization was impacted by cyber-attacks in the last 12 months

Ways in which organization was impacted by cyber-attacks in the last 12 months

33%Additional time responding to incident

29%Minor incident

26%Prevented the use of resources of services

8%Loss of revenue

6%Loss of customers

6%Damage to reputation of organization

6%Discouraged us from carrying out a future planned activity

5%Loss of suppliers or partners

4%Paid ransom

4%Fines from regulators or authorities

19%No impact at all

5%Don't know the extent of the impact

In our survey, only four per cent indicated that they paid ransom to
hacker. While this sounds small, Statistics Canada data from 2016 indicates
there are
1.17 million businesses in Canada. If we exclude companies with
less than 10 people that’s 309,000 businesses. While we’re pretty
happy with our survey, if we a variance of +/-30 per cent it would
indicate that between 3,000 – 5,500 businesses in Canada paid a
ransomware demand.

According to Sophos, 75 per cent of organizations infected with ransomware were
running up-to-date endpoint protection.

Symantec reported that
the average ransomware demand dropped to only about $650
(converted to Canadian dollars) which means that the hackers are
now able to target smaller and smaller businesses with ransoms that
are just large enough to be profitable yet small enough to be paid
without much effort. Cybercrime is now big business.

Of course, large ransoms are still being extracted from larger
organizations, and we have a few recent, high-profile cases in
Canada. Attacks on
Wasaga Beach, ON
and
Midland, ON
, both came with initial ransom demands in the six-figure range
(subsequently negotiated down) but the full cost of recovery was
estimated by both municipalities to be approximately $250,000.

No matter how big or small a business is, cyber-thieves have a payment plan
ready for you. It is no longer exclusively the worry of large
corporate IT departments because the payment models for small business are clear and effective.

Prevention of future attacks

So if you’ve been hacked, what’s next? Among survey respondents who
reported experiencing a cyber-attack, just under half took at least
some additional action to help prevent reoccurrence. The most common
investment is in additional technology at 45 per cent, followed by
training at 40 per cent.

Actions taken to prevent future cyber-attacks

Actions taken to prevent future cyber-attacks

45%Installation of new software

40%Employee training

30%Security audit

27%Installation of new hardware

21%Addition of new cloud-based security

16%Hiring of new IT contractor or service providers

12%Hiring of new IT staff

2%Other

9%No actions taken

3%No answer

Level of concern

The first law of IT states that eventually everything will fail.
Apparently some guy named Murphy created the original version of this
law and cybersecurity professionals manage it with terms like "risk
mitigation" - not risk elimination. So with this in mind, how concerned
are IT professionals about future cyber-attacks?

Among those who have experienced a cyber-attack in the last year,
88 per cent were at least somewhat concerned about the prospect of
future attacks. For those who had not experienced an attack only
62 per cent said the same, while 25 per cent were not concerned.

72% are report being concerned about future damage from cyber-attacks

On the preparedness front, fully 82 percent of IT managers felt they
were prepared to defend against future cyber-attacks; the number falls
to 68 per cent when we ask business owners. In either case, we Canadians
are a confident lot.

77% report being prepared to defend against a future cyber-attack

Protection of data – one of the important why’s of cybersecurity

Customers are increasingly aware of the risks of storing their personal
data with businesses. Thanks Facebook. In fact, a recent report by Help
Net Security showed that 85 per cent of customers felt businesses should
do more to protect their data and 75 per cent said they wouldn’t buy
from a company who they felt couldn’t protect their data.

With this in mind, it was satisfying to see that the top reason our
respondents devote resources to cybersecurity is to protect the information
of customers.

The top five reasons were quite closely grouped between 44 per cent
and 55 per cent indicating that there are several reasons that organizations
felt protection was important. This included data protection of customers,
fraud or theft, data protection of employees and suppliers, operations
and e-commerce.

Cybersecurity Resourcing

Earlier we referenced a Deloitte report that indicated a growing need
for cybersecurity professionals in Canada. In our survey, fully 28 per
cent of organizations anticipate increasing the human resources they
apply to cybersecurity in the next 12 months. Among larger organizations
with 250 – 499 employees, this number grew to 38 per cent. Only three
per cent planned to decrease resources.

Anticipated change in human resources devoted to cybersecurity in the next 12 months

Anticipated change in human resources devoted to cybersecurity in the next 12 months

3%Decrease

66%Stay the same

29%Increase

4%Don't know

We saw similar results when we asked about investment levels. For
organizations that aren’t planning to increase spending the most
common reason was that they felt their current systems, staffing
and processes are the right amount of investment.

How are the resources being used?

So we know how businesses are allocating people and resources to
cybersecurity concerns, the next question is: what are these resources
focused on?

The most used tactic for identifying security risks by IT managers is monitoring
of network and firewall at 61 per cent followed by monitoring
individual computer use at 41 per cent. These figures scale up as the
organization size scales. Auditing and penetration testing only
happens in just under 25 per cent of smaller organizations and just
under 50 per cent of the larger ones. We are not sure if that means
the focus of most IT people is on using and deploying tools versus
planning and processes. This data does suggest an opportunity for
IT services vendors to help smaller business to approach security
differently.

Activities undertaken to identify cybersecurity risks

Activities undertaken to identify cybersecurity risks

61%Monitoring network and firewall

41%Monitor employees' use of computers and the internet

29%Formal risk assessment

24%Complete external audit

23%Penetration testing

8%None

14%Don't know or no answer

Free vs. paid tools

Cybersecurity is like every other digital industry—free tools are
plentiful. We asked repsondents about the prevalence of free and
commercial tools within their organizations. Most organizations
leverage both free (or open source) tools in addition to commercial
tools. However, as they grow in size they tend to put more reliance
on commercial tools for cybersecurity. Among organizations with
10-49 employees only 27 per cent relied solely on commercial tools
while among those with 250-499 employees 56 per cent used only
commercial tools.

Is there a problem or risk associated with these results?

We have seen already that Canadian businesses are both concerned with
the threat of cyber-attacks yet also relatively confident in their
ability to keep their networks safe. Both these findings aren’t all
that interesting on their own, but if we dig deeper we see some
problems emerging.

Problem #1: Patching. What patching?

Zero-day vulnerabilities are among the most feared across the
industry. They are the stuff of big headlines—especially when day zero
is accompanied by a major hack. If you think your IT department is the
only one paying attention to zero-day vulnerabilities, I can assure
you scary folk in hoodies and sunglasses are too.

So, with zero-day vulnerabilities being such a security risk, only 29
per cent of respondents reported having a formal patching policy in
place. Wait, what? Even among organizations with 250-499 employees the
number only rose to 54 per cent.

This stat flies in the face of the earlier answers that organizations
feel generally satisfied with their cybersecurity investments and risk
and represents a major hole in any organization’s cyber-preparedness.

Incidence of having a formal patching policy

Incidence of having a formal patching policy

29%Yes

36%No

8%Prefer not to answer

27%Don't know

Problem #2: Shadow IT

Things were easier when computers weighed as much as a refrigerator.
Now we all have network connected devices in our pockets and IT
managers can never reliably know just what exactly is on their
network. Shadow IT describes technology that users are using within
your network that aren’t formally tested, approved and supported by
the IT department.

In our survey, 50 per cent of organizations report unmanaged installed
applications on end user machines. Another 26 per cent report
unmanaged cloud services, and 17 per cent report use of shadow IT on
either internal or cloud systems.

We tried to get an idea of the scope of the problem by asking
approximately how many instances of shadow IT respondents estimated
within their networks. The majority, 53 per cent, felt the number was
less than 10. The fact is, shadow IT is one of the most significant
vulnerabilities of any network and if your cybersecurity setup
consists exclusively of on-device solutions it may only be seeing part
of the problem.

Number of unique instances of shadow IT that exist within an
organization (respondent estimates)

Number of unique instances of shadow IT that exist within an
organiation (respondent estimates)

6%0

47%1 to 10

18%11 to 50

5%51 to 100

4%101 to 250

1%More than 250

16%Don't know

Problem #3: Regulation

If you’ve visited a website in the last six months you are probably
sick of getting that cookie/tracking pop-up as companies respond to requirements in the European Union's General Data Protection Regulation (GDPR). Sorry to say, there’s more to come.

The recent high-profile changes to the European Union’s General Data
Protection Regulation (GDPR), raised the profile of consumer privacy
and now Canada has some changes of its own that will alter the
landscape in this country.

The Canadian equivalent, the Personal Information Protection of
Electronic Documents Act (PIPEDA) will be undergoing some changes in
November 2018 that will significantly impact the risk profile and
compliance requirements for Canadian businesses.

Starting with the GDPR. It is no surprise that 66 percent were
unfamiliar with the regulations since most in our sample indicated
they do business only in Canada. Moreover, a follow-up question
revealed that only 13 per cent made changes in how they manage data
in response to GDPR.

Level of familiarity with European GDPR regulations

Level of familiarity with European GDPR regulations

8%Very familiar

22%Somewhat familiar

23%Not very familiar

43%No knowledge

4%Don't know

On the positive side, 58 per cent were familiar with PIPEDA.
Conversely, 38 per cent of respondents indicated they are unfamiliar
with PIPEDA. This is a surprisingly high number given that nearly 60
per cent reported collecting personal data of customers, suppliers,
vendors or partners. The changes to PIPEDA will require all Canadian commercial
organizations to publicly disclose breaches in their security and
demonstrate that they are deploying the appropriate technology and
processes to protect the personal information they are collecting.

These changes completely transform the risk profile for Canadian
businesses, and given the number of respondent that expressed
confidence in their cybersecurity preparedness, we wonder if they
might now change their minds.

Level of familiarity with Canada's PIPEDA regulations

Level of familiarity with Canada's PIPEDA regulations

17%Very familiar

41%Somewhat familiar

22%Not very familiar

16%No knowledge

4%Don't know

How large is this risk to personal data? In our sample 59 per cent
indicated that they store personal information.

Cybersecurity: Made in Canada

As part of our mandate, CIRA believes that the Canadian internet must
be fast, accessible, safe and secure. For Canadian businesses to fully
take advantage of the power of the digital economy, they can’t have
networks filled with malware.

We asked survey respondents a few questions about the importance of
Canada and Canadian solutions in their cybersecurity plans.

Data sovereignty

Data sovereignty refers to the idea that data created by Canadians for
the exclusive use of Canadian organizations, businesses and
governments should not have to leave Canada in order to move around
the country.

Many Canadians are unaware that a portion of Canada’s network
infrastructure moves data through the United States while en route to
another destination in Canada. That email you send your cousin in
Ottawa from your condo in Toronto may very well pass through Chicago
before reaching its destination.

With this in mind, half of our survey respondents were concerned about
the prospect of their data being routed or stored outside Canada. When
we asked them about the purchasing decisions around network and
security services, 84 per cent said they choose Canadian companies
when outsourcing their IT needs. A full 73 per cent make an effort to
identify a Canadian firm first when making IT or cybersecurity
purchases.

Most importantly, 58 per cent of respondents felt that keeping
Canadian internet traffic in Canada can help with cybersecurity. With
legislation like PIPEDA in mind, it is important to remember that any
time your data crosses an international border it is subject to the
laws and regulations of that country—and not every country shares
Canada’s values.

Having made-in-Canada infrastructure means you know where your
data flows within Canada and that increases your security posture.

Jacques Latourchief technology officer, CIRA

Summary: Canadian businesses are confident but the landscape is changing

The good news is that Canadian small and medium-sized businesses are
aware of the risks associated with cyber-attacks, worried about their
impacts, and largely satisfied with their current level of
preparedness. The bad news is the world of cybersecurity does not
stand still. Changes in legislation, shadow IT, and new attack vectors
are constantly popping up that require ongoing vigilance and
adjustments.

We see on average, that Canadian small and medium-sized business are investing
more in cybersecurity by hiring more staff and implementing more
security technology. The analysis does suggest some good reasons why
maybe they should not feel quite as confident as they do. Not nearly
enough Canadian businesses have implemented a formal patching policy
to protect from zero-day exploits. Many are unaware of the pending
changes to PIPEDA–and the risks associated with them. And while
shadow IT isn’t an unknown entity to most of our respondents, it is
impossible to know the full scope of the problem.

If you have read any of our riveting marketing material in the past,
you will know we’re a big fan of layers. Cybersecurity requires not
one solution but a variety of products that protect different layers
of the cybersecurity stack and reinforce each other. So how many of
these layers are Canadian businesses deploying? What policies and
products are they putting in place to protect themselves?

We believe in building products and solutions for the Canadian market,
to solve uniquely Canadian problems. Our suite of cybersecurity
solutions are specifically built with Canada in mind. Our more than 20
years of managing the .CA has allowed us to deploy our expertise in
managing and protecting the DNS to create products like D-Zone DNS
Firewall, a critical layer of your cybersecurity footprint.

By reporting on cybersecurity trends and data we hope to continue to
build up Canada’s cybersecurity capacity—in knowledge, people and
solutions—to ensure our internet remains strong and free.

Connect with us!

Domains registered:
2,810,933

By accessing and using CIRA's website you agree that you have read, understood, and consent to the terms and conditions for the use of CIRA's website, as set out in the Website Terms of Use and Privacy Policy.